Heap-Based Buffer Over-Read in libxml2 Affects PHP and Other Applications
CVE-2017-9049

7.5HIGH

Key Information:

Vendor

Xmlsoft

Status
Libxml2
Vendor
CVE Published:
18 May 2017

What is CVE-2017-9049?

A heap-based buffer over-read has been identified in libxml2's xmlDictComputeFastKey function, potentially leading to application crashes for programs that utilize this library, including PHP. This vulnerability is a result of an incomplete fix for an earlier bug and affects various versions of the libxml2 library. Users and administrators are advised to update to the latest versions to mitigate any risks associated with this issue.

References

http://www.debian.org/security/2017/dsa-3952
vendor-advisoryx_refsource_DEBIAN
https://security.gentoo.org/glsa/201711-01
vendor-advisoryx_refsource_GENTOO
http://www.openwall.com/lists/oss-security/2017/05/15/1
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.